vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-05 22:32:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: reuse shared Synology Chat secret compare

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 19:49:25 +09:00
parent c5b2b69f94
commit 36cc397548
2 changed files with 4 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -34,6 +34,7 @@ Docs: https://docs.openclaw.ai
### Fixes
- Synology Chat/security: route webhook token comparison through the shared constant-time secret helper for consistency with other bundled plugins.
- Models/MiniMax: honor `MINIMAX_API_HOST` for implicit bundled MiniMax provider catalogs so China-hosted API-key setups pick `api.minimaxi.com/anthropic` without manual provider config. (#34524) Thanks @caiqinghua.
- Usage/MiniMax: invert remaining-style `usage_percent` fields when MiniMax reports only remaining percentage data, so usage bars stop showing nearly-full remaining quota as nearly-exhausted usage. (#60254) Thanks @jwchmodx.
- MiniMax: advertise image input on bundled `MiniMax-M2.7` and `MiniMax-M2.7-highspeed` model definitions so image-capable flows can route through the M2.7 family correctly. (#54843) Thanks @MerlinMiao88888888.

13
extensions/synology-chat/src/security.ts
View File

@@ -2,7 +2,7 @@
* Security module: token validation, rate limiting, input sanitization, user allowlist.
*/
import * as crypto from "node:crypto";
import { safeEqualSecret } from "openclaw/plugin-sdk/browser-support";
import {
createFixedWindowRateLimiter,
type FixedWindowRateLimiter,
@@ -14,18 +14,11 @@ export type DmAuthorizationResult =
/**
* Validate webhook token using constant-time comparison.
* Prevents timing attacks that could leak token bytes.
* Reject empty tokens explicitly; use shared constant-time comparison otherwise.
*/
export function validateToken(received: string, expected: string): boolean {
if (!received || !expected) return false;
// Use HMAC to normalize lengths before comparison,
// preventing timing side-channel on token length.
const key = "openclaw-token-cmp";
const a = crypto.createHmac("sha256", key).update(received).digest();
const b = crypto.createHmac("sha256", key).update(expected).digest();
return crypto.timingSafeEqual(a, b);
return safeEqualSecret(received, expected);
}
/**